Hey ! You inherited the maintenance of a Debian or Ubuntu server and you wonder if the previous admin has modified some sensitive files ? Is your system safe ? Can you trust it ?

debsums to the rescue !


sudo apt install debsums
sudo debsums -as --no-prelink --no-locale-purge

Explain me how it works

As you may know, when you install a Debian package, you can find their postinst, postrm, preinst or prerm scripts on /var/lib/dpkg/info folder.

$ ls -alh /var/lib/dpkg/info/debsums.*
-rw-r--r-- 1 root root  116 Jul 14  2018 debsums.conffiles
-rw-r--r-- 1 root root 1.5K Apr 28 06:47 debsums.list
-rw-r--r-- 1 root root 1.5K Jul 14  2018 debsums.md5sums
-rwxr-xr-x 1 root root 1.3K Jul 14  2018 debsums.postinst
-rwxr-xr-x 1 root root 1.3K Jul 14  2018 debsums.postrm

An interesting file is the .md5sums one, who contain a shasum of each file installed by the package, eg. the debsums one:

$ cat debsums.md5sums
16878447551a73b29cb1395223264659  usr/bin/debsums
e94d7179b008960df541ac9a13143514  usr/bin/rdebsums
6ca0fc7fbb0e9703ea16f4d6d4653a87  usr/sbin/debsums_init
c354050db680f86b47f1cf57fc6c4d5b  usr/share/doc/debsums/README
ab1f1110020d2fafd8e2493f9ec2a16a  usr/share/doc/debsums/changelog.gz
770d751553e6559e9eaefd2e11ccf7e9  usr/share/doc/debsums/copyright
08ee7daec878279ffd34d073c2f93098  usr/share/lintian/overrides/debsums
1563dd58bd1db2afe6b52725a1a883b2  usr/share/man/de/man1/debsums.1.gz
41590f195bd24e233054b67994f961ec  usr/share/man/de/man8/debsums_init.8.gz
b8eff242e9af75a306e495d48d355472  usr/share/man/es/man1/debsums.1.gz
045941a6501e5138aef343ecf9ddfec3  usr/share/man/es/man8/debsums_init.8.gz
d8f4e6212023e4e87dfb92aa8b2d546a  usr/share/man/fr/man1/debsums.1.gz
5c3fd5e2d14592348641396d98991f73  usr/share/man/fr/man8/debsums_init.8.gz
f618cd24ae294c0048ddcadec23b7cb4  usr/share/man/man1/debsums.1.gz
6c762efb36a5d62162ca8757fc9d41c1  usr/share/man/man1/rdebsums.1.gz
624f39cbc100fe4dc006f642342b6c58  usr/share/man/man8/debsums_init.8.gz
7576e1b6392c5aab9d0c0a3672d4d58c  usr/share/man/pt/man1/debsums.1.gz
a1a3c6714228726f32c75c79c9b5a5ee  usr/share/man/pt/man8/debsums_init.8.gz
a08a945573bde383284cb848d3486845  usr/share/man/ru/man1/debsums.1.gz
19e81512c718e2af2f0646cf78186117  usr/share/man/ru/man8/debsums_init.8.gz
08deea301a908578741ed10b1c13a580  usr/share/man/sv/man1/debsums.1.gz
1ddd11b004185df36fce426618798116  usr/share/man/sv/man8/debsums_init.8.gz

debsums will analyze each file referenced in all .md5sums files from /var/lib/dpkg/info folder and check if there is any modified one \0/

You are now good to go for a Debian package system analysis:

$ sudo debsums -as --no-prelink --no-locale-purge
debsums: changed file /etc/ssl/openssl.cnf (from openssl package)
debsums: changed file /usr/bin/os-prober (from os-prober package)

As you can see, debsums reported 2 files on my system who has been modified. It’s worth investigating :)